Industrial control systems security needs more work

Federal agencies and industries that use industrial control systems must avoid applying standard information security measures to secure such systems, an engineering expert advised members of the federal Information Security and Privacy Advisory Board, which met Sept. 13.

Keith Stouffer, a mechanical engineer at the National Institute of Standards and Technology’s Intelligent Systems Division, said standard antivirus protection and encryption technologies applied to industrial control systems could shut them down and, in some cases, create a public safety hazard.

Industrial control systems are typically field devices known as programmable logic controllers. “They’re basically stripped down PCs,” Stouffer said. They can’t handle cryptographic functions, such as authentication and encryption, which makes them vulnerable, he added.

Newer industrial control systems are built with Microsoft Windows operating systems and IP protocols “because they’re cheaper and easier to use,” Stouffer said. But by replacing systems built with specialized proprietary software and protocols, government and commercial industries have made their industrial control systems vulnerable to cyberattacks.

“That transition happened without thinking about security,” Stouffer said. “Now we’re having to fix what we asked for.”

Work is under way to develop security configurations for industrial control systems, he added.

Stouffer said many industry executives are unaware of cybersecurity vulnerabilities in their factories and critical infrastructures. “A lot of the higher-ups don’t know they have modems connected to the Internet,” he said. Cyberattackers can use tools called war dialers to find modems connected to industrial control systems.

The nuclear industry is probably safer than most, added Bruce Brody, the Energy Department’s associate chief information officer of cybersecurity and a member of the security advisory board. The nuclear industry still relies on proprietary protocols, so the security threat is not as great, he said.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.